Possible network intrusion - Cant trace IP!

K

Kris

Hello,

I am looking for advice on how to determine where some potentially malicious
network traffic is originating from?

The situation is the Fsecure Firewall on a number of client machines on our
network has blocked traffic reported as the following:

Inbound TCP
Malware - Bagle.Y in
Remote port 9500
Remote address 192.0.2.42
Local Port 2535
Local address 192.168.16.24

All reports have identified the same remote IP address.

On Monday morning I configured another linux based firewall (in addition to
our security device firewall) that acts as a transparent bridge. This only
allows port 80, 25, 1723 and 53. Since configuring this firewall on Monday
Fsecure has continued blocking the threat on port 9500. Therefore I believe
the traffic is internal and the IP of the threat is spoofed.

We also have a wireless access point which I turned off last night.

I am concerned a computer on our network is infected with the worm. Is there
a way I can sniff for traffic originating from port 9500 on our network to
determine the ip address it's originating from?

We have 3 fairly modern switches, if I was to use a packet sniffer would I
need to run a sniffer on each switch?

Thanks,

Kip.
 
D

David H. Lipman

From: "Kris" <Kris@discussions.microsoft.com>

| Hello,

| I am looking for advice on how to determine where some potentially malicious
| network traffic is originating from?

| The situation is the Fsecure Firewall on a number of client machines on our
| network has blocked traffic reported as the following:

| Inbound TCP
| Malware - Bagle.Y in
| Remote port 9500
| Remote address 192.0.2.42
| Local Port 2535
| Local address 192.168.16.24

| All reports have identified the same remote IP address.

| On Monday morning I configured another linux based firewall (in addition to
| our security device firewall) that acts as a transparent bridge. This only
| allows port 80, 25, 1723 and 53. Since configuring this firewall on Monday
| Fsecure has continued blocking the threat on port 9500. Therefore I believe
| the traffic is internal and the IP of the threat is spoofed.

| We also have a wireless access point which I turned off last night.

| I am concerned a computer on our network is infected with the worm. Is there
| a way I can sniff for traffic originating from port 9500 on our network to
| determine the ip address it's originating from?

| We have 3 fairly modern switches, if I was to use a packet sniffer would I
| need to run a sniffer on each switch?

| Thanks,

| Kip.

Actually, You would have to sniff at each port of a switch because E-Switches are not like
hubs and each port is its own collision domain.

What does you border gateway/FireWall indicate ?

If you don't have one, you should consider a FireWall on the LAN/WAN barrier.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
V

VanguardLH

Kris wrote:

> Hello,
>
> I am looking for advice on how to determine where some potentially malicious
> network traffic is originating from?
>
> The situation is the Fsecure Firewall on a number of client machines on our
> network has blocked traffic reported as the following:
>
> Inbound TCP
> Malware - Bagle.Y in
> Remote port 9500
> Remote address 192.0.2.42
> Local Port 2535
> Local address 192.168.16.24
>
> All reports have identified the same remote IP address.
>
> On Monday morning I configured another linux based firewall (in addition to
> our security device firewall) that acts as a transparent bridge. This only
> allows port 80, 25, 1723 and 53. Since configuring this firewall on Monday
> Fsecure has continued blocking the threat on port 9500. Therefore I believe
> the traffic is internal and the IP of the threat is spoofed.
>
> We also have a wireless access point which I turned off last night.
>
> I am concerned a computer on our network is infected with the worm. Is there
> a way I can sniff for traffic originating from port 9500 on our network to
> determine the ip address it's originating from?
>
> We have 3 fairly modern switches, if I was to use a packet sniffer would I
> need to run a sniffer on each switch?
>
> Thanks,
>
> Kip.

It's not a remote host. 192.0.2.42 is within an IANA reserved range for
private use. That is, the host is on your intranet. Could be the
malware is making the usurped host use a different IP address. What do
you see when you run "arp -a" which would show the MAC address of the
offending host? I don't know likely it is that malware changes the MAC
address. The problem is then trying to find out which host has that MAC
address.

You could block that address at every switch or router and wait until
the user complains about network connectivity.
 
L

Lon

David H. Lipman wrote:
> From: "Kris" <Kris@discussions.microsoft.com>
>
> | Hello,
>
> | I am looking for advice on how to determine where some potentially malicious
> | network traffic is originating from?
>
> | The situation is the Fsecure Firewall on a number of client machines on our
> | network has blocked traffic reported as the following:
>
> | Inbound TCP
> | Malware - Bagle.Y in
> | Remote port 9500
> | Remote address 192.0.2.42
> | Local Port 2535
> | Local address 192.168.16.24
>
> | All reports have identified the same remote IP address.
>
> | On Monday morning I configured another linux based firewall (in addition to
> | our security device firewall) that acts as a transparent bridge. This only
> | allows port 80, 25, 1723 and 53. Since configuring this firewall on Monday
> | Fsecure has continued blocking the threat on port 9500. Therefore I believe
> | the traffic is internal and the IP of the threat is spoofed.
>
> | We also have a wireless access point which I turned off last night.
>
> | I am concerned a computer on our network is infected with the worm. Is there
> | a way I can sniff for traffic originating from port 9500 on our network to
> | determine the ip address it's originating from?
>
> | We have 3 fairly modern switches, if I was to use a packet sniffer would I
> | need to run a sniffer on each switch?
>
> | Thanks,
>
> | Kip.
>
> Actually, You would have to sniff at each port of a switch because E-Switches are not like
> hubs and each port is its own collision domain.
>
> What does you border gateway/FireWall indicate ?
>
> If you don't have one, you should consider a FireWall on the LAN/WAN barrier.
>
Portspan the switch closest to the firewall to a computer inside. Might
be a good idea to use only a fresh install or a Unix/Linux box.
Wireshark is pretty easy to use.
 
G

Geoff

On Thu, 14 Aug 2008 09:39:01 -0700, Kris <Kris@discussions.microsoft.com>
wrote:

>Remote address 192.0.2.42

This is in the IANA reserved range for what used to be Class C private
networks as such it is not back-traceable. Net 192/8 is ARIN controlled and
reserved space.

Your malware is spoofing the originating IP address, probably through
Berkeley raw sockets on a Linux box or a Windows box with raw sockets
enabled.

Sniffer on each switch? Definitely, since you can't trace the IP.

Grab one of the Fsecure machines reporting the traffic and sniff that one
for the port 9500 traffic. Identify the MAC address and then sniff that
switch, keep going up the network chain until you identify the source, you
are lucky it's periodic.
 
K

kalyan

hi

try the link

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip

Use the scanner

warm regards
kalyan


"Kris" <Kris@discussions.microsoft.com> wrote in message
news:566AEB1B-82E5-4A74-9CF6-28A4A49DEAA9@microsoft.com...
> Hello,
>
> I am looking for advice on how to determine where some potentially
> malicious
> network traffic is originating from?
>
> The situation is the Fsecure Firewall on a number of client machines on
> our
> network has blocked traffic reported as the following:
>
> Inbound TCP
> Malware - Bagle.Y in
> Remote port 9500
> Remote address 192.0.2.42
> Local Port 2535
> Local address 192.168.16.24
>
> All reports have identified the same remote IP address.
>
> On Monday morning I configured another linux based firewall (in addition
> to
> our security device firewall) that acts as a transparent bridge. This only
> allows port 80, 25, 1723 and 53. Since configuring this firewall on Monday
> Fsecure has continued blocking the threat on port 9500. Therefore I
> believe
> the traffic is internal and the IP of the threat is spoofed.
>
> We also have a wireless access point which I turned off last night.
>
> I am concerned a computer on our network is infected with the worm. Is
> there
> a way I can sniff for traffic originating from port 9500 on our network to
> determine the ip address it's originating from?
>
> We have 3 fairly modern switches, if I was to use a packet sniffer would I
> need to run a sniffer on each switch?
>
> Thanks,
>
> Kip.
 
You must log in or register to reply here.

Similar threads

S
some strange network connections to public ip 192.162.1.1 outbound on port 445 from system Process
Replies
0
Views
20
saikrishna vinjamuri
S
D
Resolve Arp Through VPN Tunnel Of Remote Network.
Replies
0
Views
49
Daniel Bove
D
J
Network Printing AWS/RDP clients
Replies
0
Views
13
Joaquin Carter1
J
S
Public IP Not Captured in IIS Logs – Seeing Private IP of Network Gateway Instead
Replies
0
Views
18
Saurabh Sutone
S
C
Android Remote Desktop Client IP Address Syntax - Windows 10
Replies
0
Views
163
Caleb Hanson1
C
Back
Top Bottom